Managing ISO27001 Documentation

3rd February 2017 Author: InfoSaaS

For an organisation looking to demonstrate their information security capability, whether to reduce risks, attract customers or avoid financial or legislative penalties, the international standard ISO/IEC27001:2013 is most commonly used as a benchmark for independent, external validation. As you digest the 30+ pages, containing over 150 specific requirements, you’ll start to notice the repeated phrase “shall retain documented information” which is setting the expectation that you need to be documenting and retaining policies, procedures and work instructions (controlled documents) alongside records that demonstrate your compliance with the many ISO27001 requirements.

This is not a trivial requirement, as even the smallest of organisations will have more than 100 controlled documents and supporting records, and significantly more for larger, more complex businesses. For each controlled document, resources need to be provided to meet the following requirements

  •          Understanding what is required, in the context of the organisation
  •          Properly and clearly written, so it can be easily understood by colleagues (and the auditor)
  •          Progressed through formal review and final approval, before being issued as live
  •          Communicated to the organisation, so they understand its purpose and requirements
  •          Subject to regular reviews, and updated to reflect changing requirements

However, very few organisations ever get this right first time around, with common issues and error arising from:

  •          Insufficient time or resources to prepare documentation properly
  •          Not understanding the requirements of ISO27001, so producing non-compliant documents
  •          Inexperience in document authoring, or lack of clarity, hindering widespread adoption
  •          Not involving business stakeholders to ensure the documentation is accurate
  •          Misalignment of policies, procedures and their supporting records

InfoSaaS has already helped hundreds of organisations worldwide address their ISO27001 documentation needs. With over 20 years’ experience, we have produced a set of documentation templates and forms to address the most common requirements, which:

  •          Address the requirements of mandatory elements of ISO/IEC27001:2013
  •          Have been used as the basis for many successful ISO27001 external assessments
  •          Have been authored by experienced ISO27001 Lead Auditors and Implementers
  •          Provide well-structured content, which is easily edited to meet each customer’s needs
  •          Are written in plain-English, helping to highlight activities and controls needed
  •          Will save your organisation significant time and effort over creating your own content

By visiting our Documentation webpage you’ll note that we have a range of documentation packs, which can be purchased and downloaded individually or together:

  •          Pack 1: ISO27001 Essentials
  •          Pack 2: Policy Kit
  •          Pack 3: Internal Audit Kit
  •          Pack 4: Supporting Information
  •          Pack 5: Information Security A4 Awareness Posters

If you require any help or assistance, please contact the InfoSaaS Team via email at or by calling +44 0203 474 1290.